On Wednesday, a jury in Sacramento, California, found Matthew Keys, former social media editor at Reuters and an ex-employee of KTXL Fox 40, guilty of computer hacking under the Computer Fraud & Abuse Act.
In 2010, Keys posted login credentials to the Tribune Company content management system (CMS) to a chatroom run by Anonymous, resulting in the defacement of an LA Times article online. The defacement was reversed in 40 minutes, but the government argued the attack caused nearly a million dollars in damage.
"The government wanted to send a clear message that if you want to cover a group they don't agree with, and you're not complicit with them [the government], they will target you," Keys told me after the trial.
Related Stories
Journalist Matthew Keys has been released from the Satellite Prison Camp Atwater, in Atwater, California, a few months early.
As Ars reported previously, Keys was accused and convicted of handing over a username and password for his former employer KTXL Fox 40's content management system (CMS) to members of Anonymous and instructing people there to "fuck some shit up." Ultimately, that December 2010 incident resulted in someone else using those credentials to alter a headline and sub-headline on a Los Angeles Times article. (Both Fox 40 and the Times are owned by the Tribune Media Company.) The changes lasted for 40 minutes before editors reversed them.
[...] While he had initially wanted to challenge the oft-maligned federal law under which he was convicted, the Computer Fraud and Abuse Act, Keys said his case was ultimately not the right one to bring such a challenge.
Keys and his legal team ultimately decided not to pursue an appeal to the Supreme Court after losing at the 9th US Circuit Court of Appeal in June 2017. Within the next few months he will begin supervised release and will be able to resume work.
From Ars Technica : Matthew Keys, now freed from prison, is ready to get back to journalism
and previously : Former Reuters Journalist Matthew Keys Found Guilty of Three Counts of Hacking [sic].
(Score: 0) by Anonymous Coward on Sunday October 11 2015, @02:46AM
Why did Keys do it? He knew what Anonymous could do, they could really f*** up the site with the login credentials he gave them.
(Score: 0) by Anonymous Coward on Sunday October 11 2015, @02:48AM
Sounds like the LA Times' business, not the govt's.
(Score: 3, Interesting) by Runaway1956 on Sunday October 11 2015, @03:41AM
Agreed. Unfortunately, like most other corporations, the LA times has influence with the government. Campaign donations, among other things, buys a lot of influence. When you have influence, government takes care of you. Suddenly, some petty offense against a corporation becomes a criminal federal offense.
Years in prison for defacing a web page. That is at least as preposterous as million dollar penalties for sharing a couple dozen songs.
That doesn't even take into account the outright dishonesty of the corporation. It cost a million dollars to restore the web page? Lying bastards, it most likely cost less than five thousand dollars, probably less than a thousand dollars. But again, corporations can afford accountants with good imaginations. That's how they avoid paying taxes, as well as misleading investors.
(Score: 0) by Anonymous Coward on Sunday October 11 2015, @04:26AM
It cost a million dollars to restore the web page? Lying bastards, it most likely cost less than five thousand dollars, probably less than a thousand dollars
It might cost half a manhour to restore a (assumed) knowngood copy, they did not know at that time WHERE they were compromised. So they had to check EVERYTHING. They probably weren't even sure whether the backup system was clean or not.
You're probably the kind of guy that says "rape isn't that bad when she doesn't get pregnant or diseased and hey it was over in 5 minutes anyway".
(Score: 3, Insightful) by Runaway1956 on Sunday October 11 2015, @04:59AM
I'm proud of my fan club, but I wish the fans would demonstrate better logic. What does the defecement of a web page have to do with rape? And, why is this fan projecting his attitudes toward rape on me? Some of my fans are embarrassing . . .
(Score: 2) by Phoenix666 on Sunday October 11 2015, @12:01PM
At least you have fans. So many of us don't, you insensitive clod.
Washington DC delenda est.
(Score: 2) by Runaway1956 on Sunday October 11 2015, @03:35PM
But, PHOENIX! You got fans! I skim over all your submissions, and read most of them! It is you who is being insensitive! Oh, boo hoo hoo . . . I'm going to sulk and whine for awhile.
(Score: 3, Insightful) by captain normal on Sunday October 11 2015, @03:43AM
Well that's the biggest crime in America, interfering with some big company's business.
When life isn't going right, go left.
(Score: 4, Insightful) by M. Baranczak on Sunday October 11 2015, @03:35AM
(Score: 4, Insightful) by bradley13 on Sunday October 11 2015, @07:18AM
Sadly, it's par for the course. Most journalists...aren't. I've seen several articles about this case, and none of them contained any in-depth information. In fact, this is the first I knew of him writing a series of articles about Anonymous - before, I had the impression he was just a disgruntled employee. Now, it seems likely that there is more to the story.
There are plenty of unanswered questions. For example, why is he charged with "Transmission of Malicious Code" and also "Attempted Transmission of Malicious Code" - I mean, either he did, or he didn't. Or else there is more than just the single posting of login credentials.
The costs are a fantasy figure, easily manipulated. Correcting the web page and changing the login credentials will have involved only a few people and (we know) about 40 minutes - cost: at most a few hundred dollars. How much additional time was spent on network analysis (i.e., figuring out how the CMS was accessed), on introducing new/different security measures, and on bosses pacing around a conference room? How much reputation damage did they suffer - and how do you calculate that? What portion of these costs do you bang onto the number? Several thousand dollars, I can see. Nearly a million - that's just the prosecutor's tactic, expecting the judge or jury to reign him in.
What makes this ridiculous: consider the real-world equivalent. Someone in your office deliberately hands his keys to a homeless dude. Homeless dude moves into your lobby. You evict the guy. What do you do to the employee? Fire him, maybe. Expect him to pay the cleaning costs, sure. Prosecute him? For what, exactly? Just because this all happened on a computer, it suddenly involves the FBI and federal prosecution? Insane.
Everyone is somebody else's weirdo.
(Score: 3, Insightful) by Phoenix666 on Sunday October 11 2015, @12:04PM
I agree with your assessment, which is why I think it's not about damages but about sending a message to "hackers." Ironically it also communicates quite clearly how little the government knows about actual hackers, if they conflate giving somebody login credentials with transmitting malicious code.
Perhaps they realize how vulnerable they are to technologists, and this is a pure fear reaction.
Washington DC delenda est.
(Score: 0) by Anonymous Coward on Sunday October 11 2015, @05:17PM
consider the real-world equivalent. Someone in your office deliberately hands his keys to a homeless dude. Homeless dude moves into your lobby. You evict the guy.
Are you kidding? A substantial portion of the LA Times' business is delivered through their web site. Keys handed the login creds of the site's CMS to an elite hacking group - that's not at all similar to allowing a homeless person into the lobby at corporate HQ, where a few dozen visitors come tromping through every day.
(Score: 2, Insightful) by Bobs on Sunday October 11 2015, @06:57PM
Are you kidding? A substantial portion of the LA Times' business is delivered through their web site. Keys handed the login creds of the site's CMS to an elite hacking group - that's not at all similar to allowing a homeless person into the lobby at corporate HQ, where a few dozen visitors come tromping through every day.
What if said homeless person set fire to the multimillion dollar office building with people in it? I think it is important to generally punish people for the actual result of their actions, not the theoretically possible results. He allowed a web page to be defaced that was trivial to fix. Not a big deal.
Certainly there are situations where the risks are so extreme you want to come down hard, but how much exposure was there really using a reporter's login credentials? Any moderately competent system will limit a reporter's login to modify some content/text and not much more. So what was the real threat?
If you leave your car keys in your car should you be prosecuted for enabling somebody irresponsible to take a joy ride or for the theoretical risk that they could take the car and crash into a freight train pulling oil tankers, destroying a town and killing many?
Proportionate response is a good thing.
(Score: 2) by darkfeline on Sunday October 11 2015, @07:24AM
So posting passwords is computer hacking now?
Defacing a website is now $1000000 USD in damages?
This is petty crime at best. Egging someone's house does more damage.
Join the SDF Public Access UNIX System today!
(Score: 2, Informative) by Anonymous Coward on Sunday October 11 2015, @12:37PM
There's no reason for a journalist to get in touch with terrorist/pedophile/communist/drug/hacker/whatever-the-boogyman-is-this-year groups unless he's sympathetic.
He knows they're evil because we told him so.
He already knows there is no other side to the story, so why would he look?